[squid-users] squid-cache proxy which does it all
robert k Wild
robertkwild at gmail.com
Thu Jan 9 19:42:51 UTC 2020
thanks for this Amos, really appreciate it :)
On Thu, 9 Jan 2020 at 19:00, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 9/01/20 8:34 pm, robert k Wild wrote:
> > hi all,
> >
> > I have made a script for squid that installs the following –
> >
> > Squid – http proxy server
> > Squid ssl-bump – https interception for squid
> > C-ICAP – icap server
> > clamAV – AV engine to detect trojan viruses malware etc
> > squidclamav – to make it all integrated with squid
> >
> > what do you think?
> >
> > #!/bin/bash
> > #squid on DMZ host
> > #
> > #first things first lets disable firewalld and SElinux
> > #
> > systemctl stop firewalld
> > systemctl disable firewalld
> > sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> > #
>
> Why?
>
>
>
> > #squid packages
> > #
> > yum install -y epel-release swaks sed tar zip unzip curl telnet openssl
> > openssl-devel bzip2-devel libarchive libarchive-devel perl
> > perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget
> > libxml2-devel libcap-devel libtool-ltdl-devel
> > #
> > #clamAV packages
> > #
> > yum install -y clamav-server clamav-data clamav-update clamav-filesystem
> > clamav clamav-scanner-systemd clamav-devel clamav-lib
> clamav-server-systemd
> > #
> > #download and compile from source
> > #
> > cd /tmp
> > wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz
>
> Please use rsync for this, and verify against the *.asc file signature
> that you got the file correctly.
>
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz
> > wget
> >
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> > for f in *.tar.gz; do tar xf "$f"; done
> > cd /tmp/squid-4.9
> > ./configure --with-openssl --enable-ssl-crtd --enable-icap-client &&
> > make && make install
> > #
>
> IIRC this was a CentoOS machine right?
> If so, see <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling>
> otherwise see the equivalent wiki page for your chosen OS compile.
>
> Those settings install Squid as a system application. So no need for the
> /usr/local stuff.
>
>
> > cd /tmp/c_icap-0.5.6
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --without-bdb --prefix=/usr/local && make && make install
> > #
> > cd /tmp/squidclamav-7.1
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --with-c-icap=/usr/local --with-libarchive && make && make install
> > #
> > cd /tmp/c_icap_modules-0.5.4
> > ./configure 'CFLAGS=-O3 -m64 -pipe'
> > 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> > -L/usr/local/clamav/lib/' && make && make install
> > #
> > #creating shortcuts and copying files
> > #
> > cp -f /usr/local/squid/etc/squid.conf
> /usr/local/squid/etc/squid.conf.orig
> > cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> > cp -f /usr/local/etc/squidclamav.conf
> /usr/local/etc/squidclamav.conf.orig
> > cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> > cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> > #
> > ln -s /usr/local/squid/etc/squid.conf /etc
> > ln -s /usr/local/etc/c-icap.conf /etc
> > ln -s /usr/local/etc/squidclamav.conf /etc
> > ln -s /usr/local/etc/clamav_mod.conf /etc
> > ln -s /usr/local/etc/virus_scan.conf /etc
> > #
> > mkdir -p /usr/local/clamav/share/clamav
> > ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> > #
> > #tmpfiles for run files
> > #
> > echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> > echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> > #
> > #delete a few lines in squid
> > #
> > sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> > sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf
>
> Please do not remove that second line from yoru squid.conf. It will
> result in unpredictable default allow/deny behaviour from your proxy.
>
> Instead I recommend (mind the wrap):
>
> sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
> CLIENTS/include "/etc/squid/squid.conf.d/*"/'
> /usr/local/squid/etc/squid.conf
>
> Then you can just drop files into the /etc/squid/squid.conf.d/ directory
> and they will be loaded as config on next start or reconfigure.
>
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200109/4ef69df3/attachment-0001.html>
More information about the squid-users
mailing list